Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

criticalmass24 sends news that multiple banks are indicating Home Depot stores are the source of a new batch of stolen credit cards and debit cards that hit the black market today. "There are signs that the perpetrators of this apparent breach may be the same group of Russian and Ukrainian hackers responsible for the data breaches at Target, Sally Beauty and P.F. Chang’s, among others. The banks contacted by this reporter all purchased their customers’ cards from the same underground store – rescator[dot]cc — which on Sept. 2 moved two massive new batches of stolen cards onto the market." Home Depot is aware of the situation, and says they're investigating. The banks say this breach may have begun as early as April or May of this year and may extend to all 2,200 of Home Depot's U.S. stores.

The problem is that these data compromises are going to happen and that the current magnetic strip technology is laughably obsolete and insecure. Chip + PIN effectively mitigates the weakness in magnetic strip data by embedding a chip (physical, something you have) and a pin (something you know) into the transaction process, plus many other security enhancements. Current magnetic strip cards are authenticated purely by a string of digits (something you know) and are easily copied and reproduced.

That's why you include a fee with your Bitcoin transaction. The larger the fee the more quickly you should get confirms back.

Bitcoin really wasn't designed to be used as a currency; payment just happened to be one of the first applications developed using the protocol. If you need confirmation speed, you should take a look at Litecoin.

Probably because none of the vulnerabilities listed at wikipedia [wikipedia.org] involve cloning the card, they all incude forcing terminals into offline chip and pin mode which is not going to be supported by most US card issuers. I've been following EMV for many years now and outside of some very controlled lab experiments involving very cold temperatures and long side channel analysis nobody has managed to pull off a duplication attack for online transactions (at least nobody that's published information, and there have

One way to scam that is to put a shim in the terminal, forcing it offline. Look for an extra cable coming from the card reader.

Just don't support offline mode on the terminals then. Or maybe design the terminals so that offline mode only works if a manager enables it, and then it only works for 15 minutes. This would allow stores to not grind to a halt when there is a communications problem, but it would prevent stores from just systematically ignoring that 99% of their terminals are in offline mode 24x7.

ATM cards support offline PIN verification too, or at least the spec does. Nobody ever used it because it was known to be inse

It's doubtful that offline mode could be enabled in firmware, certainly not without some serious work. But shimming the terminal 1. Intercepts the chip data stream, 2. Triggers an apparent non chip card insertion, 3. Captures the chip data and if the cracker is good, acts like a terminal and decodes data, 4. Sends stripe data as expected, 5. Terminal received the auth and is happy happy happy.

The shim stands in to intercept the chip data, fill the terminal intro accepting the card as a mag stripe, and doo

Chip + PIN effectively mitigates the weakness in magnetic strip data by embedding a chip (physical, something you have) and a pin (something you know) into the transaction process, plus many other security enhancements.

Since some of the cards stolen were debit cards, which require something you have (card with magnetic strip) and something you know (PIN), I don't see how chip+PIN is the holy grail you think it is.

Although there may be more negotiation/handshake at PoS with chip+PIN, it still comes down to two-factor auth to make that sale. And, if somebody can install software/hardware that grabbed mag strip + PIN, they likely can do the same for chip+PIN.

A PIN is not required to use a debit card today. The vast majority of them support running the transaction either through the debit networks, where you use a PIN, or through the credit networks (Visa or MasterCard) where, today anyway, you sign. So the thieves can still steal the card number off a debit card and use it just like a credit card. The only difference is that your checking account is the money that gets tied up in limbo until it's sorted out, instead of the the bank's money (in the form possibly

Sorry you are wrong. Been busted , there was a proof of concept at the last black hat meeting. A west coast college presented it. Read about the hack several weeks ago, you should be able to buy the single by now. Yes it was conceptual, but the prior writeup sounded just like the chip and pin, along with further work on the NFC concept of card. As NFC was being introduced they were showing the weaknesses. The only one not busted so far is the encrypted transmission to the bank. But sure homeland has a backd

Well if it's a debit card, if i'm not mistaken, the onus is on YOU to produce proof that the charges weren't fraudulent. But mainly, while everything is pending, your money is gone. It may only be temporary, but you can't pay bills with IOU's.

Notice that the timer on reporting doesn't really start until you either 1) learn of the fraud or 2) have an opportunity to review a bank statement.

And if your credit doesn't suck (read: are a responsible adult), most card issuers won't charge you even that $50 limit because they'd rather have customers that don't badmouth them on the internet than people who are disi

Sorry about this, but you still owe the "bounced check" charge. Your bank may waive it but any in line company won't. Remember they tally at the end of the day. Your balance doesn't always show correctly till the end of day occurs at the bank. Even on debit cards.

Well, for one I have to spend my time to submit a fraud report to my bank. If using my debit card, the money is gone until the fraud is confirmed. Second, I have to wait for a new card to arrive in the mail, then try to remember who I have set up on automatic payments using my old card. Call each one of them or visit their website to enter in the new numbers. The ones that I forget will possibly result in account suspensions, etc, until after the new number is entered. Fees may be charged, which most o

So it's their fault you have a sloppy financial system?Lock on the info up with encryption is it's such a bother for you.

When it happened to me, I called the bank, 5 minutes latter my money had been returned, the was no longer attached to my account directly.After that, when I got an email from varies companies that my CC was no longer valid, I just changed it. Never had any interruption in any service.

On a weird note, after that call, 2 weeks later a reoccurring charged on that account went through. I cont

I'm refinancing my house at the moment. Having my card stolen will raise all sorts of flags, and either about or delay the process.

My property won't be missing if I run up a massive credit card bill, but it would potentially cause me hours and hours of work, a bunch of money, and a shit-load of stress. I'd rather that the problem be fixed instead of ignoring it for another bunch of years.

Sure, chip and PIN messages can be intercepted, but the data that can be intercepted cannot be reused dor a second fraudulent transaction, and cannot be tampered with.

Chip and PIN moves the trust out of the merchants' terminals and out of the network. Only the chip and the bank's systems have the secret knowledge needed to participate in the conversation. You no longer have to wonder if Home Depot's readers are safe, because it won't matter.

And in the UK, the stories of pensioners being shoulder-surfed at the ATM (or worse) while they peck away at the keypad end with them at the bank being informed that their money is gone, and they must have disclosed their PIN to someone. "Sorry, but the system is totally secure. It isn't our fault". Not as if the camera at the ATM wouldn't be showing some hoodie emptying their account, though the banks have no real incentive to investigate.

Home Depot has been replacing terminals with dip terms for EMV. But the issuers are waiting for some more traction. Most US merchants don't want to pay for the terminals, since the risk doesn't shift sufficiently for them to pay the money.

And as mentioned above, any card-not-present transactions are unaffected by EMV. Most of these rings sell cards to be used not-present. It;s fairly common to place the order on the website for local pickup, grab the loot and fence it. EMV doesn't stop that.

Home Depot has been replacing terminals with dip terms for EMV. But the issuers are waiting for some more traction. Most US merchants don't want to pay for the terminals, since the risk doesn't shift sufficiently for them to pay the money.

And as mentioned above, any card-not-present transactions are unaffected by EMV. Most of these rings sell cards to be used not-present. It;s fairly common to place the order on the website for local pickup, grab the loot and fence it. EMV doesn't stop that.

It *could* if the store at least used the Chip + Pin to validate the person picking up the loot.

Granted, I still don't see how it helps stop people buying stuff on Amazon but that one example you provided should be fairly simple to avoid.

What do you care? the CC company pays for it, and they send you a new card.

As has already been pointed out, no, it's you that pays for it in fees.

The current interest rate on savings is what about 1%? Banks can take that money and charge 18-24%. They've got a license to print money. Do you really think they're just going to eat the loss? They're passing it on to you in dribs and drabs.

My grocery store has new Verifone readers with chip and pin slots. The things are so badly made that they reject my card on the mag strip reader until the clerks showed me a trick where you stick a plastic grocery bag between the card and mag head to make it work.

No thanks! Once my bank offered me a "Visa check card" - debit card processed through Visa's credit network - I signed up and haven't looked back. For me at least having a card isn't about spending future money, it's about not having a paycheck's worth of cash on me or my wife. It's about convenience in bill payments and purchasing. And these days, it's a wonder when paired with self checkout technology!

Also, I hate having to keep up with receipts. Electronic payments make recordkeeping so much easier.

Because your average consumer doesn't know and doesn't care that Home Depot or Target runs an IBM or NCR system. They know that Home Depot and Target screwed up forcing them to watch their statements even more closely than normal and maybe get a new card issued requiring an update of all the auto-payment stuff and made things a pain in the ass.

Its up to Home Depot and Target to then apply leverage to IBM and NCR or jump ship to another vendor. Each vendor responds to their direct customer.

It's not NCR, IBM, etc. It's Ingentico, Verifone, the other terminal makers, and the acquirers (Paymentech, First Data, etc) that handle the data, but Home Depot needs to secure the transmission of that. And I bet most of this was skimmed off of databases that needed to be another layer away from intruders.

This will be the second time my credit card gets replaced this year.The third time in 3 years.

I've tried to order stuff online and been forced to call in because the retailer subscribes to a service that considers me a 10/10 fraud risk.And not because of anything I've ever done or any charges that have shown up on my bill.

Why not just go to Chip and PIN...I dont seem to hear these stories in Canada or other places that use it, but I could be missing them...

I doubt Chip and Pin will close the security hole they have here. It's insecure POS's rather than insecure cards. Europe and Canada (and Australia) still have breaches but not as big as this for two reasons.
1). You're not allowed to pass the card details onto the POS. The POS passes the sale info to the processor and the processor passes back a PCI (Payment Card Industry) standard censored card number (the last four digits).
2). You're not permitted to store any payment details on the POS.

The banks are reaping the rewards of years of sticking their heads in the sand on security. Europe has chip and pin which is much more secure. US credit cards are ridiculously easy to counterfeit. I hear that they are finally, slowly moving to chip and pin since their losses to fraud are increasing.

I hear that they are finally, slowly moving to chip and pin since their losses to fraud are increasing.

One of my recently replaced cards is chip and signature, and I think that's what most US-issued smart cards are using. Security-wise, it's kind of a half measure, but at least it's a step forward from complete reliance on the magstripe.

More to the point, the merchant is prohibited from declining any payment via credit card that has been approved by the terminal regardless of whether the signature matches. Further, they cannot request ID as part of the checkout---per their payment processing agreement.

You know, I think it's true that Europe had a much higher rate of fraud, which convinced them to move to chip&pin sooner.

Yes, I've heard that they're working to move to chip&pin, my bank sent out a notice that they're working on it. When I get closer to the expiration of my card I might call them up and ask to be moved over as I actually travel internationally occasionally and it'd be nice to be able to use my card in European stores.

Not any time soon - as it happens, I have an Amazon card from Chase and just got the replacement for an expiring card - no chip and pin, I called and asked about it and they sid they MAY have it when my next card comes in 3 years...so dont hold your breath.

I mention Amazon specifically because other commenters seem to think that anything Amazon is immune and safe...not so fast young grasshopper...

Nope, they will issue a new card with at least chip and signature by next fall, October 2015 is the deadline from Visa for the card providers to move over as well as the merchants. After that date if the card issuer has issued a chip card and the merchant uses the magstripe then the merchant is liable for the fraud, there is no way in hell any card issuer is going to give up that kind of liability offload for one moment, let alone 2 years. The idiot bots that answer the phone have no idea what's actually go

I am suddenly grateful we've been using a store branded Home Depot credit card for the last few years. Replacing that with a new one won't be painful at all. I think I've paid cash if the amount was under $10, too.

Still going to go through ye old checking account and verify there's no HD charges on there since April.

I've worked at several companies and most of them store passwords in plain text. They've been doing it for decades and I ALWAYS make a new task/story/project, etc. that involves implementing proper security. Only once did I get a company to prioritize it to the point where it actually got done.

I am going to start using cash a lot more often until the system has it's act together. All of the crooks are busy robbing people the 21st century way anyhow. The good news is that between this and the NSA's shenanigans, security development efforts are on fire right now. It's long overdue.

The local Home Depot also ties CC #'s to your email, allowing you to receive copies of your receipts in email. This is very useful if you need to keep receipts for tax purposes. However, if they're tying this to the plain-text CC info, not good at all (I had assumed some modicum of intelligence and that the emails were tied to name+hash).

As a merchant who accepts credit cards, a few years back they came up with PCI Compliance. First you had to show some very basic data security. Then, they tried to sell you insurance. Then, they required you to take the data security insurance. If you are "PCI noncompliant" then you get tagged $20.00 per month.
I appreciate how they made this too into an opportunity to gouge the small merchant, to no effect at the high end.

Some of the stupidest ppl elsewhere and here screamed that target was caused by having an HVAC key. So, I guess that HVAC everywhere is making it possible to break into these systems?
Or is is far more likely that all of them using Windows, combined with using off-shore admin/coding, specifically India where the 60 rupees to $1 means that their engineers are making less than $10K / year, the far more likely route?

My bet is that the idiots, combined with those who are doing the bribes, continue to push the